OpenStack Introduction for Ubuntu Part I

OpenStack is an open source cloud-computing project for public and private clouds managed by the OpenStack Foundation, the mail goal of this project is provide an Infrastructure as a Service (IaaS) plataform. This post series are an introduction about how can be the platafform installed on Ubuntu 12.04 (LTS). At this link a complete installation guide can be found

OpenStack Services

  • OpenStack Dashboard ( Graphical interface to access, provision and automate cloud-based resources.
  • OpenStack Compute ( Cloud operating system that enables enterprises and service providers to offer on-demand computing resources, by provisioning and managing large networks of virtual machines.
  • OpenStack Networking ( Pluggable, scalable and API-driven system for managing networks and IP addresses.
  • OpenStack Storage ( Object and Block storage for use with servers and applications.
  • Identity Service ( Central directory of users mapped to the OpenStack services they can access.
  • Image Service ( Provides discovery, registration and delivery services for disk and server images.
  • Telemetry Service ( Aggregates usage and performance data across the services deployed in an OpenStack cloud.
  • Orchestration Service ( Template-driven engine that allows application developers to describe and automate the deployment of infrastructure.

Basic architecture with OpenStack Networking (Neutron)

  • The controller node runs the Identity Service, Image Service, dashboard, and management portions of Compute and Networking. It also contains the associated API services, MySQL databases, and messaging system.
  • The network node runs the Networking plug-in agent and several layer 3 agents that provision tenant networks and provide services to them, including routing, NAT, and DHCP. It also handles external (internet) connectivity for tenant virtual machines.
  • The compute node runs the hypervisor portion of Compute, which operates tenant virtual machines. By default, Compute uses KVM as the hypervisor. The compute node also runs the Networking plug-in agent, which operates tenant networks and implements security groups.


Configuring Internal network

Conventional configuration requires two network interfaces on every machine, one for internet communication and another for local network communication, for simplicity we will assume that these interfaces are eth0 and eth1. An example of /etc/network/interfaces configuration file for controller node can be:

# Internal Network
    auto eth0
    iface eth0 inet static
# External Network
    auto eth1
    iface eth1 inet static

Use the hostname command to set the host name:

   # hostname controller 

To configure this host name to be available when the system reboots, you must specify it in the /etc/hostname file, which contains a single line with the host name.

For a simple example edit hosts file and add all the hostnames, real systems should use a dns or a system like chef to set up this host list       localhost    controller    compute1

Network Time Protocol (NTP)

To synchronize services across multiple machines, you must install NTP on every node. After install edit /etc/ntp.conf and change the server directive to use the controller node as internet time source.

   # apt-get install ntp 


Every service require a password. You can generate random passwords using openssl rand -hex 10 command. The complete list of passwords you need to define in this guide are:

Password name Description
Database password (no variable used) Root password for the database
RABBIT_PASS Password of user guest of RabbitMQ
KEYSTONE_DBPASS Database password of Identity service
ADMIN_PASS Password of user admin
GLANCE_DBPASS Database password for Image Service
GLANCE_PASS Password of Image Service user glance
NOVA_DBPASS Database password for Compute service
NOVA_PASS Password of Compute service user nova
DASH_DBPASS Database password for the dashboard
CINDER_DBPASS Database password for the Block Storage Service
CINDER_PASS Password of Block Storage Service user cinder
NEUTRON_DBPASS Database password for the Networking service
NEUTRON_PASS Password of Networking service user neutron
HEAT_DBPASS Database password for the Orchestration service
HEAT_PASS Password of Orchestration service user heat
CEILOMETER_DBPASS Database password for the Telemetry service
CEILOMETER_PASS Password of Telemetry service user ceilometer

Mysql Install

MysqlDb is required to store information Open Stack Information

Mysql Controller Setup

   # apt-get install python-mysqldb mysql-server 

Mysql Node Setup

   apt-get install python-mysqldb 

Open Stack Packages

The Ubuntu Cloud Archive is a special repository that allows you to install newer releases of OpenStack on the stable supported version of Ubuntu.

   # apt-get install python-software-properties
   # add-apt-repository cloud-archive:havana 
   # apt-get update && apt-get dist-upgrade
   # reboot

Messaging server

Install RabbitMQ and change its default password.

   # apt-get install rabbitmq-server 
   # rabbitmqctl change_password guest RABBIT_PASS

Configure the Identity Service

Identity Service concepts

The Identity Service performs the following functions:

  • User management: Tracks users and their permissions.
  • Service catalog: Provides a catalog of available services with their API endpoints.

Install the Identity Service

Install the OpenStack Identity Service on the controller node:

   # apt-get install keystone 

Edit /etc/keystone/keystone.conf and change the [sql] section.

    # The SQLAlchemy connection string used to connect to the database
    connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone

Create a keystone database user:

  # mysql -u root -p
    mysql> CREATE DATABASE keystone;
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \

Create the database tables for the Identity Service:

    # keystone-manage db_sync

Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:

   # openssl rand -hex 10 

Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command

    # A "shared secret" between keystone and other openstack services
    admin_token = ADMIN_TOKEN 

Restart #service keystone restart

Define users, tenants, and roles

We don't have any users yet for the identity service but we can connect it usign the admin access token, in order to that, we need export next environment variables:

   # export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 

Create a tenant for an administrative user and a tenant for other OpenStack services to use.

    # keystone tenant-create --name=admin --description="Admin Tenant"
    # keystone tenant-create --name=service --description="Service Tenant"

Create an administrative user called admin. Choose a password for the admin user and specify an email address for the account.

   # keystone user-create --name=admin --pass=ADMIN_PASS 

Create a role for administrative tasks called admin.

    # keystone role-create --name=admin

Add roles to users. Users always log in with a tenant, and roles are assigned to users within tenants. Add the admin role to the admin user when logging in with the admin tenant.

   # keystone user-role-add --user=admin --tenant=admin --role=admin 

Define services and API endpoints

You must register each service in your OpenStack installation using the next commands:

  • keystone service-create. Describes the service.
  • keystone endpoint-create. Associates API endpoints with the service.

You must also register the Identity Service itself. Use the OS_SERVICE_TOKEN environment variable, as set previously, for authentication.

Create a service entry for the Identity Service
   # keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"

    |   Property  |              Value               |
    | description |    Keystone Identity Service     |
    |      id     | 19072b6631ec4c0b9d3f93a8b89efd41 |
    |     name    |             keystone             |
    |     type    |             identity             |

Specify an API endpoint for the Identity Service

Use the returned service ID. When you specify an endpoint, you provide URLs for the public API, internal API, and admin API.

   # keystone endpoint-create \
  --publicurl=http://controller:5000/v2.0 \
  --internalurl=http://controller:5000/v2.0 \

    |   Property  |              Value               |
    |   adminurl  |   http://controller:35357/v2.0   |
    |      id     | dcff14339da049fbb42031f4b1490250 |
    | internalurl |   http://controller:5000/v2.0    |
    |  publicurl  |   http://controller:5000/v2.0    |
    |    region   |            regionOne             |
    |  service_id | 19072b6631ec4c0b9d3f93a8b89efd41 |

Note: As you add other services to your OpenStack installation, call these commands to register the services with the Identity Service

Verify the Identity Service installation

Unset the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables


You can now use regular username-based authentication. Request an authentication token using the admin user and the password you chose during the earlier administrative user-creation step. You should receive a token in response, paired with your user ID. This verifies that keystone is running on the expected endpoint, and that your user account is established with the expected credentials.

   $ keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-auth-url=http://controller:35357/v2.0 token-get 

Verify that authorization is behaving as expected by requesting authorization on a tenant.

  $ keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 token-get 

You can also set your --os-* variables in your environment to simplify command-line usage

    export OS_USERNAME=admin
    export OS_TENANT_NAME=admin
    export OS_AUTH_URL=http://controller:35357/v2.0 

Verify if the variables has been setted correctly, using keystone command without --os option

   $ keystone token-get 

Verify that your admin account has authorization to perform administrative commands.

   $ keystone user-list 

You can continue with the sencond part at this link